Solved: Zone Based Firewall and SSL VPN

tkatsiaounis · ‎01-10-2011

Hello. I have a cisco 1841 router and i am trying to make it work as a zone based firewall with anyconnect ssl vpn connections. I have created 4 zones (Inside, Outside, DMZ and VPN) and i managed to have the router working with internet traffic and vpn connectivity. However i cannot access any of the hosts on DMZ and Inside zones, After the VPN gets established i can ping the router interface IP's (Inside, DMZ) but from there and on "silence". I am trying to take remote desktop of a pc in the DMZ zone but i cannot. Try to use an sql server on the inside with the same results.

So my question is obvious. How can i make it to pass my traffic to the hosts i intend to??

What is wrong with my (attached with changed ip's and domains and etc.) config?

I would be grateful for any help. Thans very much in advance.

Jennifer Halim · ‎01-10-2011

ACL "tunnel-traffic" is configured in the wrong direction.

Currently it's as follows:

ip access-list extended tunnel-traffic
permit ip any 192.168.12.0 0.0.0.7

It should be as follows:

ip access-list extended tunnel-traffic
permit ip 192.168.12.0 0.0.0.7 any

OR/ if you would like to be more restrictive, it should be as follows:

ip access-list extended tunnel-traffic
permit ip 192.168.12.0 0.0.0.7 192.168.13.0 0.0.0.15

permit ip 192.168.12.0 0.0.0.7 192.168.14.0 0.0.0.63

Because it is in the direction of VPN pool towards both the DMZ (policy: vpn-to-dmz-policy) and inside (policy: vpn-to-in-policy) subnet.

Hope that helps.

View solution in original post

Jennifer Halim · ‎01-10-2011